Sometimes, it turns out that the answers we struggled so hard to find were sitting right in front of us for so long that we somehow overlooked them. 
When the Department of Homeland Security, through the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the FBI, issues a cybersecurity warning and prescribes specific action, it’s a pretty good idea to at least read the

Sometimes, it turns out that the answers we struggled so hard to find were sitting right in front of us for so long that we somehow overlooked them.

When the Department of Homeland Security, through the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the FBI, issues a cybersecurity warning and prescribes specific action, it's a pretty good idea to at least read the joint advisory. In their advisory AA24-242A, DHS/CISA and the FBI told the entire cybercriminal-stopping world that to stop ransomware attacks, organizations needed to implement phishing-resistant MFA and ditch SMS-based OTP MFA.

****The Best Advice I Never Followed****

This year, we have experienced an astonishing surge in ransomware payments, with the average payment increasing by a staggering 500%. Per the "State of Ransomware 2024" report from cybersecurity leader Sophos, the average ransom has jumped by 5X reaching $2 million from $400,000 last year. Even more troubling, RISK & INSURANCE, a leading publication from the cybersecurity insurance industry, reported that the median ransom grew to $20 million in 2023, up significantly from $1.4 million in 2022, while actual payments surged to $6.5 million, compared to $335,000 previously. Clearly, the imperative to stop ransomware attacks and data breaches is at an all-time high.

This alarming trend highlights the growing sophistication of cyberattacks and the weaknesses inherent in outdated security practices. The leading vulnerability across all organizations is the widespread reliance on legacy Multifactor Authentication, which is proving ineffective against modern threats. According to CISA, 90% of successful ransomware attacks start with phishing. After credentials are stolen, legacy MFA is defeated, and the rest is history. Thus the mandate to move to phishing-resistant MFA.

****We're All Gonna Die****

The rapid rise in ransomware and data breaches has created a daunting challenge for organizations struggling to keep pace with the constant waves of novel attacks. This surge is driven by major advancements in cybercriminal techniques. As anticipated years ago, Generative AI has played a pivotal role in transforming cyberattacks, forcing many organizations to rethink their security approaches, but most have not adapted fast enough.

The rise of Generative AI has empowered cybercriminals to create highly convincing phishing emails, making them almost impossible for even the best-trained users to detect. Generative AI has significantly advanced phishing attack methods, making them more challenging for cybersecurity teams to defend against. Phishing remains the most common way attackers gain access to networks, accounting for 9 out of 10 ransomware incidents.

Cybercriminals are continually refining their strategies to maximize disruption and extract larger payments from vulnerable organizations. The world was shocked by the two-billion-dollar loss at Change Healthcare. Attackers understand the financial impact of their attacks and they leverage this to demand enormous sums, knowing many victims will comply to avoid even greater operational losses.

Generative AI has transformed phishing, enabling cybercriminals to craft realistic, personalized emails free of spelling and grammatical errors. In addition, these attacks often mimic trusted sources, making them extremely difficult to detect. By analyzing available data and mimicking different writing styles, AI-generated phishing attacks have become highly targeted and more effective, diminishing the value of traditional employee training for detecting phishing attacks.

****Bringing a Knife to a Nuclear War****

MFA has been a cornerstone of security for more than two decades, but ancient legacy systems such as One-Time Passwords (OTP) over SMS are no longer up to the task. Cybercriminals are easily bypassing legacy MFA solutions through phishing, SIM swapping, Man-in-the-Middle (MitM) attacks, and more. Legacy MFA has been breached in the majority of ransomware cases, underscoring its inadequacy in today's cybersecurity environment.

While attacks have evolved, one thing remains constant: user limitations. Humans continue to be the preferred target for cybercriminals. No amount of training will equip the average user with the ability to spot every advanced phishing attempt or deepfake.

Compounding this is the rise of deepfake technology. AI-generated voices and videos are now used to impersonate executives and trusted figures. Attackers use spoofed phone numbers and fake Zoom calls from trusted colleagues to trick employees into transferring funds or sharing credentials. These attacks exploit the trust employees have in familiar voices and faces, making them particularly dangerous.

The tools to carry out these attacks, once considered sophisticated, are now widely available on the dark web and require little technical expertise. What once required skilled hackers is now accessible to almost anyone, thanks to Ransomware-as-a-Service (RaaS) and AI-driven tools. This shift enables even individuals with minimal skills to launch complex cyberattacks, making the threat landscape more dangerous than ever.

****The Urgency of Phishing-Resistant MFA is the Next-Generation of MFA****

The adoption of phishing-resistant MFA is no longer just a recommendation—it's essential. Legacy MFA solutions are ineffective against today's sophisticated attacks. To combat the rising tide of ransomware and data loss, organizations must adopt next-generation, phishing-resistant MFA solutions. These advanced solutions are FIDO2 compliant, incorporate biometric authentication, such as facial recognition and fingerprints, making it far harder for attackers to compromise. Hardware-based MFA, biometrics, and FIDO-compliant technologies can dramatically reduce the likelihood of successful phishing attacks and potentially save billions in losses each year.

Biometric authentication has become a necessity. Biometrics are unique to each user, making them highly secure and very difficult to steal or replicate. Biometric traits like fingerprints and facial features eliminate the risks associated with passwords and provide protection against phishing and other social engineering attacks. Additionally, biometrics offer a seamless and user-friendly experience, reducing the likelihood of human error or support requests while improving security.

****Conclusion****

The revolutionary advancements in the technology of cyberattacks, driven by Generative AI and the widespread availability of Ransomware-as-a-Service, have exposed the critical vulnerabilities in legacy MFA systems. Phishing-resistant MFA is no longer a luxury but a necessity in the fight against ransomware and data breaches. Traditional cybersecurity approaches, such as SMS-based OTP, have proven inadequate against next-generation attacks.

To stay ahead of these new threat, organizations must prioritize implementing phishing-resistant, next-generation MFA solutions that are FIDO2-compliant and use biometric authentication. These solutions not only offer stronger protection but also provide a more user-friendly experience, reducing human error and the risk of phishing. As cybercriminals continue to advance their techniques, shifting to phishing-resistant MFA is essential for safeguarding organizations from increasingly devastating ransomware attacks and data breaches.

Discover how Token's phishing-resistant, Next-Generation MFA can protect your organization from advanced ransomware and data breaches at tokenring.com

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Why Phishing-Resistant MFA Is No Longer Optional: The Hidden Risks of Legacy MFA 

Credential theft was the main goal in 25% of incidents last quarter, and new ransomware variants made their appearance - read more about the top trends, TTPs, and security weaknesses that facilitated adversary actions.

Thursday, October 24, 2024 06:00

Threat actors are increasingly conducting identity-based attacks across a range of operations that are proving highly effective, with credential theft being the main goal in a quarter of incident response engagements.

These attacks were primarily facilitated by living-off-the-land binaries (LoLBins), open-source applications, command line utilities, and common infostealers, highlighting the relative ease at which these operations can be carried out. In addition to outright credential harvesting, we also saw password spraying and brute force attacks, adversary-in-the-middle (AitM) operations, and insider threats, underscoring the variety of ways in which actors are compromising users' identities.  

Identity-based attacks are concerning because they often involve actors launching internal attacks from a compromised, valid account--making such activity difficult to detect. Moreover, once account compromise is achieved, an actor can carry out any number of malicious activities, including account creation, escalating privileges to gain access to more sensitive information, and launching social engineering attacks, like business email compromise (BEC), against other users on the network. 

Watch the team discuss some of the major takeaways of the report, and recommendations for defenders

**Threats against identity **

This quarter, Cisco Talos Incident Response (Talos IR) has responded to a growing number of engagements in which adversaries have leveraged password-spraying campaigns to obtain valid usernames and passwords to facilitate initial access. This quarter, 25 percent of incidents involved password spraying and/or brute force attempts to steal valid credentials. This method involves an adversary using a password, or a small list of commonly used passwords, against many different accounts on a network, a strategy that helps avoid account lockouts that would typically occur when brute-forcing a single account with many passwords. Although adversaries have been using password-spraying attacks for credential access for years, the activity illustrates that organizations should continue to stress the importance of multi-factor authentication (MFA) and strong password policies to limit unauthorized attempts.  

Talos IR observed AitM phishing attacks play out in a number of ways this quarter, where adversaries attempted to trick users into entering their credentials into fake login pages. In one engagement, Talos IR investigated a phishing case where, after clicking a malicious link in a phishing email, the victim was redirected to a site prompting them to enter their credentials, and subsequently approved an MFA request. In another engagement, an initial phishing email redirected a user to a page that simulates a Microsoft O365 login and MFA portal, capturing the user's credentials and subsequently logging in on their behalf. The first login by the adversary was seen 20 minutes after the initial phishing email, highlighting the speed, ease, and effectiveness of these operations. 

**Ransomware **

Ransomware, pre-ransomware, and data theft extortion – in which cybercriminals steal and threaten to release victims’ files or other data without using any encryption mechanisms — accounted for nearly 40 percent of engagements this quarter. Talos IR observed RansomHub, RCRU64, and DragonForce ransomware variants for the first time this quarter, while also responding to previously seen ransomware variants, such as BlackByte, Cerber, and BlackSuit. 

  
A third of these engagements involved exploitation of known vulnerabilities that are consistently leveraged by ransomware operators/affiliates to deploy ransomware, according to public reporting. For example, in one BlackByte ransomware engagement, we observed an admin account created and added to an “ESX Admin” group as part of exploitation of the ESXi hypervisor vulnerability, CVE-2024-37085. This vulnerability, which has reportedly been exploited by other ransomware operators, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. 

As part of a years-long trend in greater democratization of ransomware adversaries, we continue to see new variants and ransomware operations emerging. In an incident involving the RCRU64 ransomware –a malware family that has received limited public reporting – the adversary used stolen credentials on an accidentally exposed remote desktop protocol (RDP) account to gain initial access. The threat actor then performed a dump of all domain credentials using publicly available tools, such as fgdump and pwdump, to steal Windows hashes. The threat actor also deployed custom tools, including “saxcvz.exe” and “close.exe”, to kill processes and close SQL servers running on the host, respectively. Open-source tools such as Mimikatz, Advanced Port Scanner, and IObit Unlocker were also used to facilitate the compromise. Of note, Talos has not previously seen IObit Unlocker used in a ransomware incident, though the tool has been used in Play ransomware attacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

**Looking forward:** While there are constantly new ransomware groups entering the threat landscape, some established operations still pose a risk and should not be ignored. We saw this most recently last quarter with RansomHub, where Talos IR not only observed RansomHub actors in two separate incidents, but also using two different extortion models: double-extortion and data theft extortion. For example, we observed RansomHub affiliates conduct data theft extortion, where affiliates steal and threaten to release data without deploying ransomware or using any encryption mechanisms, as well as leverage a double-extortion model by deploying ransomware and encrypting systems and exfiltrating data to extort victims, respectively. In late August, this activity coincided with a CISA advisory on the RansomHub ransomware group, which disseminated indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) identified as recently as August. While RansomHub was first discovered in February 2024, the recent Talos IR incidents and CISA advisory warrants that this continues to be a ransomware threat to monitor. 

****Targeting** **

Organizations in the education, manufacturing, and financial services verticals were most affected this quarter, where combined, these sectors accounted for more than 30 percent of compromises. This finding is in line with targeting trends from Q1 2024 (January - March), where the education and manufacturing companies were the most targeted. 

**  
**Initial access** **

For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, accounting for 66 percent of engagements when initial access could be determined. This is a _slight_ increase compared to the previous quarter (60 percent). Additionally, 20 percent of engagements featured adversaries exploiting or leveraging vulnerable and public-facing applications for initial access. 

  
**Looking forward:** Talos IR identified a sophisticated actor targeting a critical infrastructure entity leveraging several known vulnerabilities in internet-facing web servers and two F5 BIG-IP network appliances, consistent with Talos’ reporting on state-sponsored and other sophisticated adversaries’ increased interest in targeting network devices. We assess that networking equipment will remain an attractive target due to the large attack surface it presents and potential access to victim networks it can offer, highlighting the dichotomy of high value and weak security in these devices that makes them a prime target for exploitation. This activity is another reminder of the importance of patching systems, especially network-facing devices. 

****Security weaknesses** **

We continue to see a significant number of compromises that could have been prevented with the presence of certain security fundamentals, like MFA and proper configuration of endpoint detection products. In nearly 40 percent of engagements, misconfigured MFA, lack of MFA, and MFA bypass accounted for the top observed security weaknesses this quarter. Additionally, in 100 percent of the engagements that involved threat actors sending phishing emails to victims, MFA was bypassed or not fully enabled, while over 20 percent of incidents where ransomware was deployed did not have MFA enabled on VPNs. 

  
Other security weaknesses, which we commonly see every quarter, involved improper endpoint detection and response (EDR) or security solution misconfigurations. For example, lack of EDR on all systems and/or poorly configured EDR solutions accounted for nearly 30 percent of incidents this quarter. Additionally, nearly 20 percent of engagements this quarter had misconfigured or not fully enabled network security solutions. 

In an incident involving SocGholish, a drive-by malware framework, Talos IR recommended configuring Cisco Umbrella properly to block unwanted content, which could have helped to prevent this attack. Blocking "uncategorized" websites in Cisco Umbrella’s "Web Content Categories" will help proactively mitigate suspicious or malicious activity. 

****Top-observed MITRE ATT&CK techniques** **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK appendix include:  

*   In terms of identity-based attacks, we consistently saw adversaries leveraging reconnaissance tactics to identify/gather credentials and then use those valid accounts to gain initial access. This also contributes to the growing trend this quarter in which adversaries are leveraging password spraying to obtain credentials. 
*   Nearly 20 percent of engagements this quarter featured proxy usage for command and control (C2). This activity included tools such as the Fast Reverse Proxy (FRPC) to establish a connection, or the Neo-reGoerg proxy tool to set up a SOCKS proxy. 
*   In a significant shift compared to previous quarters, we saw a decrease in adversary usage of remote access software, such as AnyDesk. Remote access software was used in less than 5 percent of engagements this quarter, compared to 35 percent last quarter (Q2 2024), where these tools provide the attacker an ability to control a target computer remotely. 

Tactic

Technique

Example

Initial Access (TA0001)

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Text file contains details about host

Persistence (TA0003)

T1136 Create Account

Created a user to add to the local administrator’s group

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client's Active Directory environment

Discovery (TA0007)

T1046 Network Service Discovery

Use a network or port scanner utility

Credential Access (TA0006)

T1003 OS Credential Dumping

Deploy Mimikatz and publicly available password lookup utilities

Privilege Escalation (TA0004)

T1484 Domain Policy Modification

Modify GPOs to execute malicious files

Lateral Movement (TA0008)

T1021.002 Remote Services: SMB / Windows Admin Shares

Adversaries may abuse valid accounts using SMB to move laterally in a target environment.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Adversaries may disable or uninstall security tools to evade detection

Command and Control (TA0011)

T1105 Ingress Tool Transfer

Adversaries may transfer tools from an external system to a compromised system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Hive ransomware and encrypt critical systems

Exfiltration (TA0010)

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Use WinSCP for potential exfiltration of system information

Collection (TA0009)

T1074 Data Staged

Adversary collected data in a central location prior to exfiltration

Software/Tool

S0357 Impacket

An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols

Talos IR trends Q3 2024: Identity-based operations loom large

Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild.
Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol.
"A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may

Vulnerability / Network Security

Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild.

Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol.

"A missing authentication for critical function vulnerability \[CWE-306\] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests," the company said in a Wednesday advisory.

The shortcoming impacts FortiManager versions 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. It also affects old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E that have at least one interface with fgfm service enabled and the below configuration on -

config system global
set fmg-status enable
end

Fortinet has also provided three workarounds for the flaw depending on the current version of FortiManager installed -

*   FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above: Prevent unknown devices to attempt to register
*   FortiManager versions 7.2.0 and above: Add local-in policies to allow-list the IP addresses of FortiGates that are allowed to connect
*   FortiManager versions 7.2.2 and above, 7.4.0 and above, 7.6.0 and above: Use a custom certificate

According to runZero, a successful exploitation requires the attackers to be in possession of a valid Fortinet device certificate, although it noted that such certificates could be obtained from an existing Fortinet device and reused.

"The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices," the company said.

It, however, emphasized that the vulnerability has been not weaponized to deploy malware or backdoors on compromised FortiManager systems, nor is there any evidence of any modified databases or connections.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the defect to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by November 13, 2024.

Fortinet also shared the below statement with The Hacker News -

_After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fortinet Warns of Critical Vulnerability in FortiManager Under Active Exploitation

The Russian-language malware primarily enlists computers to mine Monero, but theoretically it can do worse.

Source: Artimages via Alamy Stock Photo

An 8-year-old modular botnet is still kicking, spreading a cryptojacker and Web shell on machines spread across multiple continents.

"Prometei" was first discovered in 2020, but later evidence suggested that it's been in the wild since at least 2016. In those intervening years it spread to more than 10,000 computers globally, in countries as diverse as Brazil, Indonesia, Turkey, and Germany, whose Federal Office for Information Security categorizes it as a medium-impact threat.

"Prometei's reach is global due to its focus on widely used software vulnerabilities," explains Callie Guenther, senior manager of cyber-threat research at Critical Start. "The botnet spreads through weak configurations and unpatched systems, targeting regions with inadequate cybersecurity practices. Botnets like Prometei typically do not discriminate by region but seek maximum impact by exploiting systemic weaknesses. \[In this case\], organizations using unpatched or poorly configured Exchange servers are particularly at risk."

Trend Micro details what a Prometei attack looks like: clunky in its initial infection but stealthy thereafter, capable of exploiting vulnerabilities in a variety of different services and systems, and focused on cryptojacking but capable of more.

**Loud Entry Into Unloved Systems**

Don't expect an initial Prometei infection to be terribly sophisticated.

The case Trend Micro observed began with a number of failed network login attempts from two IP addresses appearing to come from Cape Town, South Africa, which aligned closely with known Prometei infrastructure.

After its first successful login into a machine, the malware went to work testing out a variety of outdated vulnerabilities that might still be lingering in its target's environment. For example, it uses the half-decade old "BlueKeep" bug in the Remote Desktop Protocol (RDP) — rated a "critical" 9.8 out of 10 in the Common Vulnerability Scoring System — to try and achieve remote code execution (RCE). It uses the even older EternalBlue vulnerability to propagate via Server Message Block (SMB). On Windows systems, it tries the 3-year-old ProxyLogon arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858, which have "high" 7.8 CVSS ratings.

Exploiting such old vulnerabilities could be read as lazy. In another light, it's an effective approach to weeding out better-equipped systems belonging to more active organizations.

"Prime targets are those systems that have not been or cannot be patched for some reason, which translates to them being either unmonitored or neglected from normal security processes," Mayuresh Dani, manager of security research at Qualys, points out. "The malware authors want to go after easy pickings, and in today's connected world, I consider this intelligent, as if they know that their targets will be plagued by multiple security issues."

**Prometei's Fire**

Once Prometei gets to where it wants to go, it has some neat tricks for achieving its ends. It uses a domain generation algorithm (DGA) to harden its command-and-control (C2) infrastructure, enabling it to continue operating even if victims try blocking one or more of its domains. It manipulates targeted systems to allow its traffic through firewalls, and runs itself automatically upon system reboots.

One particularly useful Prometei command evokes the WDigest authentication protocol, which stores passwords in plaintext in memory. WDigest is typically disabled in modern Windows systems, so Prometei forces those plaintext passwords, which it then dumps into a dynamic link library (DLL). Then, another Prometei command configures Windows Defender to ignore that particular DLL, allowing those passwords to be exfiltrated without raising any red flags.

The most obvious purpose of a Prometei infection appears to be cryptojacking — using infected machines to help mine the ultra-anonymous Monero cryptocurrency without their owners' knowing it. Beyond that, though, it downloads and configures an Apache Web server that serves as a persistent Web shell. The Web shell allows attackers to upload more malicious files and execute arbitrary commands.

As Stephen Hilt, senior threat researcher at Trend Micro, points out, botnet infections are often associated with other kinds of attacks as well.

"I always look at the cryptomining groups being a canary in the coal mine — it's an indicator that there's probably more going on in your system," he says. "If you look at our 2021 blog, there was LemonDuck, a ransomware group, and \[Prometei\] all within the same machines."

**Russia Links**

There is one specific part of the globe that Prometei does not touch.

The botnet's Tor-based C2 server is made to specifically avoid certain exit nodes in some former Soviet countries. To further ensure the safety of Russian-language targets, it possesses a credential-stealing component that deliberately avoids affecting any accounts labeled "Guest" or "Other user" in Russian.

Older variants of the malware contained bits of Russian-language settings and language code, and the name "Prometei" is a translation of "Prometheus" in various Slavic languages. In the famous myth, Zeus programs an eagle to attack Prometheus' liver every day, only for the liver to persist through reboots each night.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Prometei' Botnet Spreads Its Cryptojacker Worldwide

The Snyk gradle plugin is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-qqqw-gm93-qf6m: OS Command Injection in Snyk gradle plugin

The Snyk php plugin is vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.

GHSA-69f9-h8f9-7vjf: OS Command Injection in Snyk php plugin

The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

Source: MAHATHIR MOHD YASIN via Shutterstock

North Korea's infamous Lazarus Group is using a well-designed fake game website, a now-patched Chrome zero-day bug, professional LinkedIn accounts, AI-generated images, and other tricks to try and steal from cryptocurrency users worldwide.

The group appears to have launched the elaborate campaign in February and has since used multiple accounts on X and tricked influential figures in the cryptocurrency space to promote their malware-infected crypto game site.

**Elaborate Campaign**

"Over the years, we have uncovered many \[Lazarus\] attacks on the cryptocurrency industry, and one thing is certain: these attacks are not going away," said researchers at Kaspersky, after discovering the latest campaign while investigating a recent malware infection. "Lazarus has already successfully started using generative AI, and we predict that they will come up with even more elaborate attacks using it," the security vendor noted.

The state-sponsored Lazarus group may not quite be a recognizable name yet, but it is easily among the most prolific and dangerous cyber threat actors in operation. Since making headlines with an attack on Sony Pictures back in 2014, Lazarus — and subgroups such as Andariel and Bluenoroff — have figured in countless notorious security incidents. These have included the WannaCry ransomware outbreak, the $81 million heist at Bank of Bangladesh, and attempts to steal COVID-vaccine-related secrets from major pharmaceutical companies during the height of the pandemic.

Analysts believe that many of the group's financially motivated attacks, including those involving ransomware, card-skimming, and cryptocurrency users, are really attempts to generate revenue for the money-strapped North Korean government's missile program.

In the latest campaign the group appears to have refined some of the social engineering tricks employed in past campaigns. Central to the new scam is detankzone dot-com, a professionally designed product page that invites visitors to download an NFT-based multiplayer online tank game. Kaspersky researchers found the game to be well designed and functional, but only because Lazarus actors had stolen the source code of a legitimate game to build it.

**A Chrome Zero-Day and a Second Bug**

Kaspersky found the website to contain exploit code for two Chrome vulnerabilities. One of them, tracked as CVE-2024-4947, was a previously unknown zero-day bug in Chrome's V8 browser engine. It gave the attackers a way to execute arbitrary code inside a browser sandbox via a specially crafted HTML page. Google addressed the vulnerability in May after Kaspersky reported the flaw to the company.

The other Chrome vulnerability that Kaspersky observed in the latest Lazarus Group exploit is that it does not appear to have a formal identifier. It gave the attackers a way to escape the Chrome V8 sandbox entirely and gain full access to the system. The threat actor used that access to deploy shellcode for collecting information on the compromised system before deciding whether to deploy further malicious payloads on the compromised system, including a backdoor called Manuscrypt.

What makes the campaign noteworthy is the effort that Lazarus Group actors appear to have put into its social engineering angle. "They focused on building a sense of trust to maximize the campaign's effectiveness, designing details to make the promotional activities appear as genuine as possible," Kaspersky researchers Boris Larin and Vasily Berdnikov wrote. They used multiple fake accounts to promote their site via X and LinkedIn along AI-generated content and images to create an illusion of authenticity around their fake game site.

"The attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly," Larin and Berdnikov wrote.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

The software development kit will simplify building and testing of CHERI-enabled RISC-V applications.

Source: Mentor58 via Alamy Stock Photo

German processor design company Codasip has donated its latest RISC-V software development kit to chip security consortium CHERI Alliance to help developers add memory safety to chips.

RISC-V is an instruction set architecture (ISA) that allows developers and manufacturers to personalize silicon chips with capabilities to meet their needs, such as for use in smartphones, space technologies, industrial applications, and automotive technologies, to name a few. RISV-V is open and free to license, so anyone can design, manufacture, and sell RISC-V chips and software.

CHERI (Capability Hardware Enhanced RISC Instructions) extends ISA to manage memory access control to prevent common vulnerabilities, such as buffer overflows and memory corruption. The method involves isolating the hardware and software so that adversaries cannot inject attack code into memory. The CHERI Alliance is an industry consortium focused on promoting the development and adoption of security technologies that protect data stored in hardware memory.

Developers need access to tools and packages that are available for CHERI — this is what the SDK that Codasip built and donated to the CHERI Alliance offers. The compiler is capable of generating the modified instructions. Anyone implementing CHERI on RISC-V chips can access the SDK, which is freely available on GitHub.

The SDK includes:

*   C/C++ compiler and toolchain based on LLVM17
    

*   QEMU open source emulator
    
*   OpenSBI implementation of the RISC-V Supervisor Binary Interface
    

*   Yocto build system for Linux
    
*   Basic user space environment based on Busybox
    

"As more organizations and governments discover the potential of the CHERI technology to protect us, we need to speed up the pace of making the technology available in real systems," Codasip CEO Ron Black said in a statement. "We have made a massive effort to implement a full Linux-capable SDK that we are now opening for everyone to use."

**About the Author**

Codasip Donates Tools to Develop Memory-Safe Chips

Operation Overload pushes dressed up Russian state propaganda with the aim of flooding the US with election disinformation.

Source: Jozef Polc via Alamy Stock Photo

In the final days of the 2024 US election season, Russian state-backed actors are pushing enormous amounts of fake news disguised as information from reputable news outlets with the intention of flooding the American news ecosphere with enough garbage to influence who eventually wins the White House.

The Kremlin's full-scale propaganda push, named Operation Overload by researchers at Recorded Future who uncovered the effort, is pretty basic: influence the outcome of the US election by overwhelming already thread-bare newsroom resources. If the handful of journalists and trusted news sources left standing in the US are endlessly deploying scarce investigative resources to chase down fake news, there are fewer journalists left to debunk the junk.

It's an effective tactic that has been used by Operation Overload before. The Russian state-backed group honed its fake news skills with similar campaigns in France recently, Recorded Future pointed out in its report.

"Previously attempting to undermine the 2024 French elections and the Paris Olympics, the operation is now shifting its focus to the 2024 US presidential election," the report warned. "It involves creating fake news sites, false fact-checking resources, and AI-generated audio that mimics legitimate media outlets."

The group also adds branding and logos that make the disinformation look like it's from a trusted US news organization, making it difficult for consumers to know what's real and what isn't.

**Taking Aim at Tim Walz**

Most recently, the Russian fake news farm has been pushing disinformation against vice presidential candidate Tim Walz.

"Based on newly available intelligence, for example, the IC assesses that Russian influence actors manufactured and amplified inauthentic content claiming illegal activity committed by the Democratic vice-presidential candidate during his earlier career," an alert from the office of the director of national intelligence warned on Tuesday.

Besides fake news doctored up to look like legitimate reports, AI-generated content, and flooding media with propaganda to fact check, the effort relies heavily on automated social media posts to continuously pump out bad information, Recorded Future said.

It's on Elon Musk's X platform where many of the Operation Overload disinformation gets a lot of traction. Three separate false narratives being pushed by the Russian troll farm against Walz in recent days were traced back to X accounts by CBS News.

In the days to come, Recorded Future warned Operation Overload will continue to push three distinct varieties of disinformation aimed at influencing the outcome of the US election: stoking political violence, targeting candidates, and vilifying Ukrainians as well as the LGBTQIA+ community.

"The operation seeks to directly inject influence content into mainstream discussion of contentious political issues, eroding public trust in the democratic process, provoking US domestic concerns of political violence and 'civil war,' and exploiting existing social divisions," the report explained.

Russian Trolls Pose as Reputable Media to Sow US Election Chaos

The risk of exploitation is heightened, thanks to a proof-of-concept that's been made publicly available.

Source: Ascannio via Alamy Stock Photo

A high-severity flaw in Microsoft SharePoint, tracked as CVE-2024-38094, is under active exploit.

The bug is a deserialization vulnerability, which is often used as attack vectors by malicious cyber actors and poses a serious threat to federal enterprises. If successfully exploited, it could give threat actors remote code execution capabilities. The vulnerability has earned a CVSS score of 7.2 out of 10.

"An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server," Microsoft reported in an alert. 

Patches for the flaw were released in July as part of a series of Patch Tuesday updates, and it has since been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.

The risk of potential continued exploitation of the vulnerability is further heightened due to the fact that a proof-of-concept is now available on GitHub for public viewing.

No additional details about how the vulnerability is being actively exploited have been shared, but due to these developments, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes by Nov. 12.

**About the Author**

Tag

#auth